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We present a simple and robust construction of a real-time quantum random number generator 
(QRNG). Our minimalist approach ensures stable operation of the device as well as its simple and 
straightforward hardware implementation as a stand-alone module. As a source of randomness 
the device uses measurements of time intervals between clicks of a single-photon detector. The 
obtained raw sequence is then filtered and processed by a deterministic randomness extractor, which 
is realized as a look-up table. This enables high speed on-the-fly processing without the need of 
extensive computations. The overall performance of the device is around 1 random bit per detector 
click, resulting in 1.2 Mbit/s generation rate in our implementation. 


Random number generation attracted a lot of attention 
since quantum technologies became available to serve for 
this purpose. Quantum random number generation gives 
access to the universal randomness of quantum mechan¬ 
ics, which is unavailable, at least theoretically, in classical 
physics. Over the last 20 years there was a number of dif¬ 
ferent QRNG approaches and suggestions about its prac¬ 
tical implementation. In the present work we looked for 
a highly practical and easy to implement QRNG, which 
will ensure stable operation due to its overall simplicity. 
To keep it simple we intentionally considered only designs 
with one single photon detector. Along with the physical 
part, not less important was the choice of a randomness 
extraction algorithm, which, by itself, should guarantee 
generation of independent and unbiased bits at the out¬ 
put under any conditions. 

There are many different approaches to quantum ran¬ 
domness generation described in the literature [ll-[lll|. 
Still, it is hard to clearly distinguish between what we 
call “quantum” and what in some sense belongs to sta¬ 
tistical physics. We associate the former with the use 
of simple “quantum measurements” and single photon 
(or other particles) detectors (SPDs), and believe that 
most other methods belong to the latter case, where it is 
harder to explain why the source is truly unpredictable 
and thus whether it can in principle generate true ran¬ 
domness. Among the SPD-based sources it is highly ben¬ 
eficial to use a single SPD in the whole setup. Besides 
the obvious reliability advantage, it also eliminates the 
need of any hardware calibration as SPDs typically have 
a large variation of performance parameters even within 
a particular type. Using more than one SPD also does 
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not give an advantage in the generation rate: typically 
the result is the same as the corresponding multiple of 
single SPD devices. 

The output of an SPD contains only timing informa¬ 
tion (it could be also a number of photons, but conven¬ 
tional SPDs do not resolve it) i.e. moments when a par¬ 
ticular photon caused an avalanche in the detector. This 
is the only data available for random numbers extraction. 
Realization of a quantum measurement may require en¬ 
gineered light pulses, for example in a “which way” ex¬ 
periment Q, or in a “multiple choice” one , but from 
the standpoint of performance those settings are subop- 
timal: instead of using any time moment measurable by 
the clock, we intentionally limit ourselves to only a few 
or several of them. Thus, in this sense optimal design 
should use a continuously running light source. 

The simplest form of this method is detection of the 
arrival times of photons from a cw coherent source [il,i 
Si El- This gives purely Poissonian statistics, which 
is simple to work with. A modification with temporally 
shaped cw source is also possible [l^ and gives slightly 
better performance at the expense of an increased system 
complexity and reduced reliability, which is unsuitable for 
our concept. 

Collecting timing information is commonly done in two 
different forms: timestamping arriving photons by the 
value of a free-running clock counter as in [3, i El, El 
or counting the number of clock cycles between adjacent 
detection events [1, H . The two are completely identical 
by the amount of obtained information (each form of data 
can be easily converted to the other one), but the second 
form consists of independent integers, while the first one 
unavoidably contains internal correlations. The correla¬ 
tions come from the slowly changing most significant bits 
of the time counter. A direct calculation [l| shows that in 
order to make correlations negligible, one has to ensure 
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that bit values change some 15 times faster than the av¬ 
erage counting rate, which poses a significant limitation 
on the amount of random data obtained. Thus, storing 
time intervals between detector clicks is advantageous as, 
by the definition of the Poisson process, all such values 
are perfectly independent. They are distributed with the 
exponential distribution, favoring small numbers and ex¬ 
ponentially decaying towards the large ones. 

Another not less important aspect of this approach is 
light generation. In principle, it would be the best to use 
a single (transverse, temporal, and polarization) mode 
cw coherent light source. In practice, however, it is not 
possible. We use instead an alternative approach, based 
on mode averaging. Even if the statistic of a single mode 
is not necessarily Poissonian, the more modes we detect 
the closer the output will resemble Poissonian process 
due to the PalmKhintchine theorem [l^. Thus, a sub¬ 
stantially multimode detection allows to arrive at a Pois¬ 
sonian process regardless of the photon statistic in each 
of the modes. 

After a raw stream of random data is acquired one 
needs to process it in order to obtain random and inde¬ 
pendent bits. This processing, or extraction, can be done 
in many different ways with two global approaches: us¬ 
ing deterministic algorithms and with seeded extractors. 
The second approach is much more powerful as it is capa¬ 
ble of extracting randomness from any type of a partially 
random sequence, however, in this work we stick to the 
first one. Seeded extractors need a perfectly random seed 
to operate. Until recently such algorithms required more 
random bits than they produced, e.g. using Toeplitz ma¬ 
trices [ll|. Later, a new Trevisan extractors family [l^ 
was introduced, which allows for generating more ran¬ 
domness than was consumed as the seed. It also allows 
re-using the seed for future conversions 171. 

The main difficulty with seeded extractors is that they 
are constructed for a particular rate of min-entropy pro¬ 
vided by the source. After it is defined the extractor 
gives a certain rate of compression, which does not de¬ 
pend on anything, including the actual quality of the raw 
sequence. This creates a possible flaw in the system: if 
by any reason the raw sequence degrades, the output of 
the seeded extractor will cease to be truly random. Such 
algorithms intrinsically lack any adaptivity and may eas¬ 
ily fail with a temporal drift of experimental parameters 
affecting the amount of generated entropy. 

Other problems include estimation of min-entropy of 
the source and real-time realization of such, especially 
Trevisan, extractor. Strictly speaking, it is impossible to 
measure min-entropy of any given source in finite time. 
Knowing the internal structure of the source helps but 
does not make the problem trivial. At the same time 
this parameter remains the only parameter that defines 
whether the QRNG output is random or not. It may be¬ 
come even more critical with re-using the extractor out¬ 
put as the seed. Real-time processing is rather a techni¬ 
cal but nevertheless one more important issue. Recent 
results show that realization of Trevisan construction 
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FIG. 1: Extraction of random bits for M = A = 4. The 
first line shows a word pattern, i.e. a sorted list of repetition 
numbers of each letter. The corresponding extraction process 
is given below on the example of one permutation family. 
The value / shows the share of a particular pattern in all 
= 256 possible input words; it coincides with the actual 
frequency of appearance if all letters are equiprobable. 


with modern computers yields some 17 kbits/s output bi- 
trate [l^ . Apparently, this is orders of magnitude slower 
than the entropy generation rate by a typical SPD. Such 
computational-hungry algorithm is hard to run when the 
system performance is not ignored. 

Based on the given discussion, we think that deter¬ 
ministic algorithms, if applicable, are better suited for 
our goals. Here we should notice that a popular ap¬ 
proach iiEl of using standard hash functions such 
as SHA-256 is, strictly speaking, invalid @ as it does 
not extract randomness, but rather only compresses the 
raw data in some peculiar fashion. It does not guar¬ 
antee independence of output bits and possesses similar 
weaknesses as seeded extractors. Talking about deter¬ 
ministic extractors, one needs to know properties of the 
input data. As was shown earlier we consider a stream 
of positive and independent integers with the exponential 
probability distribution. The goal of the extractor is to 
convert this stream into unbiased and independent bits. 

The most trivial but inefficient method is to convert 
the stream into independent but biased bits by taking 
the integers modulo 2 and then eliminate the bias using 
the von Neumann algorithm M- We use a generaliza¬ 
tion of this method to a finite al pha bet of M > 2 letters 
— the extended Elias algorithm , which is asymptot¬ 
ically efficient, converging to the entropy of the source 
(see also mi). Importantly, here any deterministic con¬ 
version of the obtained positive integers into the finite 
alphabet may be used, as it does not affect the quality 
of the extractor output. It is desirable, however, to ap¬ 
proach the uniform probability distribution within the 
alphabet to decrease the entropy loss. 

Realization of the Elias extraction algorithm is explic¬ 
itly given in [2^. Briefly, the input sequence is cut into 
words of N letters each. A probability of getting a partic¬ 
ular word is exactly the same as for all the words, which 
are permutations of letters of the original one. The to¬ 
tal number of such permutations gives the number of 
equiprobable states, one of which is obtained as the orig¬ 
inal word. All such states can be numbered, and the 
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FIG. 2: Extraction efficiency of the implemented algorithm 
vs. the size of the buffer for different alphabet sizes. The 
actual generator uses a 20-bit buffer and a 4-symbol alphabet, 
yielding 1.2 bits per raw symbol. 


number of the one obtained can be converted into ran¬ 
dom bits using its binary representation. 

An example of extraction for M = N = 4 is shown in 
Fig. [TJ The strings AAAA, ..., DDDD are mapped onto 
the empty set because they all have different probabili¬ 
ties of appearance unless the probability of obtaining the 
individual letters A, B, C, and D are exactly equal. The 
patterns ABBB, BABB, BBAB, and BBBA, and the like, 
generate two output bits because if the letter-generating 
events are independent, each combination of letters has 4 
equiprobable permutations irrespective of the probability 
of obtaining the individual letters A, ..., D. The largest 
number of permutations is obtained for the word ABCD, 
giving 24 variants; each results in 3 or 4 output bits. 

Following our minimalist doctrine we wanted to sim¬ 
plify required processing as much as possible. Taking into 
account that the expected throughput of the extractor 
should be in Mbits/s range, we sacrificed the efficiency 
of extraction but made it suitable for realization as a 
look-up table in a standard memory chip. In our imple¬ 
mentation we use an alphabet of M = 4 letters and make 
conversions using blocks of A^ = 10 such values. This 
matches the 20-bit address space of the 2 MB flash mem¬ 
ory chip used. Another limitation that favors smaller al¬ 
phabets and shorter processing blocks is the requirement 
of the process to be stationary: if parameters of the pro¬ 
cess drift, the output sequence may be not random any 
more. The process must be stationary during the time 
required to run through all possible combinations within 
a processing block, whose number is of the order of . 
Thus, a substantial increase of the alphabet size and the 
block length will also require to guarantee stability not 
for seconds, but for hours and even days, which is almost 
impossible to guarantee in practice: any feedback loop 
in the system, e.g. for keeping the constant count rate. 



FPGA and a 2MB flash memory chip 


FIG. 3: Block diagram of the experimental setup. 


should be substantially slower than this time, rendering 
the system to be extremely slow and impractical. 

Figure [2] shows the simulated efficiency of the extrac¬ 
tion algorithm for a varying size of the binary buffer 
b = A^flogM] needed to store the whole processing 
block. The data are calculated for a uniform distribu¬ 
tion of the input symbols and contain traces for different 
alphabet sizes M, which are conveniently chosen as the 
powers of 2. One can see that for a chosen pair of M = 4 
and A^ = 10 the algorithm generates 1.2 bits per input 
symbol. It is easy to note that scaling with the memory 
size is rather poor: even for a 40-bit address space, which 
is unrealistic and raises temporal stability concerns, the 
efficiency only approaches 1.8 bits per symbol. Thus, 
even as we sacrificed the bit generation rate for system 
simplicity and better output quality, we are still not too 
far from potential limits of this scheme. 

The discussed principles and ideas were fulfilled in our 
experimental realization (see Fig. |3]) based on a silicon 
SPD with a thin depletion layer and a ^'30 /rm sensitive 
area. All processing is made in an FPGA attached to 
a 2 MB flash memory chip. A red LED (A ss 627 nm, 
spectral width AA Ri 45nm) driven with a Ri 10 fiA cur¬ 
rent is used as a light source, while the whole pair of the 
LED and the SPD is temperature stabilized at -1-25° C. A 
feedback loop is used for stabilization of the count rate by 
adjustment of the LED current. The last one has a time 
constant of 16 s to ensure that the process is stationary 
on the time scale of counts. 

A major flaw in the experimental system with respect 
to the theory is non-ideal characteristics of the SPD. For 
the presented QRNG structure it is, first of all, temporal 
parameters of the SPD. While the photon arrival process 
is the Poissonian one, the generation of SPD clicks is not. 
It has a highly suppressed probability of detection right 
after the previous click, known as a dead time. It may 
also have the opposite effect with another temporal shape 
called afterpulsing, i.e. triggering further detector clicks 
by a previous one even when no other photons present. 

Our study of the actual process was performed at the 
same average count rate as used in the final device, 
namely 1.2 MHz. Figure S] shows count frequency his- 
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FIG. 4: Measured histogram of waiting times between detec¬ 
tor clicks at the average rate of 1.2 x 10® clicks/s. A pro¬ 
nounced deviation from the expected exponential behavior is 
seen at T < 150 ns. 


togram as a function of a delay between successive clicks. 
It ideally fits the expected exponential distribution ex¬ 
cept for the intervals shorter than 150 ns. A deviation 
from the expected distribution fits well by an exponential 
decay function with the time constant of 40 ns. 

Whatever is the nature of these non-idealities, as long 
as we can measure the maximal time period which is 
still affected, we can easily filter out dependent events by 
making sure that not a single time interval shorter than 
the specified time is used for random number generation. 
In general, we model the real SPD as an ideal detector 
giving Poissonian statistics, with a perturbation function 
with a maximal memory of r. To get rid of dependent 
events we use a simple digital filter that rejects all time 
intervals shorter than 160 ns, reducing the events rate 
from 1.2 to 1.0 MHz. 

Another significant flaw of the actual system is the 
presence of dark counts. The dark count rate of the de¬ 
tector used is around 200 Hz, which is almost 4 orders 
of magnitude smaller than regular count rate. Although 
the nature of dark counts is much more complicated and 
not obviously as “quantum” as photodetection events, it 
still has nearly Poissonian statistics and does not affect 
any obtained results. We can only say that 0.01% of the 
generated entropy may not be enough “quantum”. 

The detector clicks are time tagged with a resolution 
of 16 ns and corresponding time intervals are calculated. 
All intervals shorter than 160 ns are discarded, while the 
remaining ones are converted into a 4-symbol alphabet 


as shown in Fig. [5j The particular conversion scheme 
gives a more uniform distribution than the trivial mod¬ 
ulo operation. Blocks of 10 successive symbols repre¬ 
sented as ten 2-bit strings form a 20-bit address in the 
memory chip pointing to a 2-byte pre-calculated value. 
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FIG. 5: Gonversion of digitized time intervals into a 4-letter 
alphabet with bias reduction via bi-directional coding and a 
time filter cutoff of 10 clock cycles. 


bols obtained from zero (when all 10 symbols are the 
same) to 14 bits (the maximum number of permutations 
is 10!/(3!3!2!2!) = 25200). To enable this variable size 
output, a simple binary coding is used when the actual 
output data is left-padded with 1 and zeroes to form a 16- 
bit string 0 .. .0 1 ab .. .yz, where k is the output string 

15—fc k 

size and ah.. .yz is the string itself. 

Generated random bit sequences were characterized 
using the NIST statistical test suite. Testing 1 Gbit 
consecutive data chunks with a = 0.01 using 1000 bit 
streams by 10® bits showed the pass ratio well above 
0.98 for all tests. The P-valuer of the uniformity chi- 
square test among P-values obtained for each stream is 
0.68, which is above the 0.0001 confidence level. All ob¬ 
tained results suggest that generated sequences are in¬ 
distinguishable from truly random ones by the particular 
tests. The broad scope of the NIST suite and clear im¬ 
plemented QRNG operation principles confirm that the 
generated random data are of high quality and may be 
used in critical applications. 

In conclusion, we have experimentally demonstrated a 
quantum random number generator based on the mea¬ 
surement of waiting times in the process of photon ar¬ 
rival at the SPD. The main concept of the device is 
its simplicity, robustness, and real-time operation. The 
used deterministic randomness extractor together with 
a straightforward raw data processing enables adaptive 
random bits extraction that guarantees output quality 
regardless of the actual entropy of the source. 

The work was supported under the Government Future 
Research Fund (FPI) contract. 
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